Method for controlling a component of a distributed safety-relevant system

ABSTRACT

A method of triggering a component (Akt —   1 ) in a distributed safety-related system, in particular a component (Akt —   1 ) of an X-by-wire system in a motor vehicle, is described. The component (Akt —   1 ) is triggered by a process computer (Pro —   1 ) assigned to the component (Akt —   1 ) and connected to a communication system (K —   1 ) via a communications controller (S —   1 ). A monitoring unit which is independent of the process computer (Pro —   1 ) is provided for monitoring the process computer (Pro —   1 ). To simplify the design of such a safety-related system while at the same time at least retaining the safety that is achievable on enabling the components, the functions of the monitoring unit are executed by the communications controller (S —   1 ). The communications controller (S —   1 ) preferably executes a question-and-answer communication with the process computer (Pro —   1 ).

BACKGROUND INFORMATION

[0001] The present invention relates to a method of triggering a component in a distributed safety-related system, in particular a component of an X-by-wire system in a motor vehicle. The component is triggered by a process computer assigned to the component and connected to a communication system via a communications controller. A monitoring unit which is independent of the process computer is provided for monitoring the process computer.

[0002] The present invention also relates to a communications controller for connecting a process computer to a communication system, the process computer being used for triggering a component of a distributed safety-related system, in particular a component of an X-by-wire system in a motor vehicle, and a communication protocol running on the communications controller to implement data transfer between the process computer and the communication system.

[0003] A method of the type defined in the preamble is known for example from German Patent Application 198 26 131 A1. This publication describes a distributed safety-related system as an electric brake system of a motor vehicle. Components of this system are designed as the brakes of the motor vehicle, i.e., more precisely, as actuators for triggering the brakes. Such a system is extremely safety-related, because faulty triggering of the components, in particular faulty actuation of the brakes, may result in an unforeseeable safety risk. For this reason, the possibility of faulty triggering of the components must be ruled out reliably.

[0004] Essential features of the known brake system include a pedal module for central determination of the driver's intent, four wheel modules for wheel-individualized regulation of the brake actuators, and a processing module for calculating higher-level brake functions. Communication among individual modules may take place through a communication system. FIG. 2 of the present patent application shows the internal structure of a wheel module having various logic levels as an example. Logic level L1 includes at least the calculation of the control and regulating functions for the wheel brakes, while logic levels L2 through L4 include different functions for computer monitoring and function testing of L1.

[0005] Triggering of the brakes, i.e., the electric motors for actuating the brake shoes, includes the following steps for each wheel module equally:

[0006] a) Determining at least one triggering signal (f_1) for the brake by a first microcomputer system (R_1A) as a function of at least one input signal (a_R2, a_R3, a_R4; a_V,ref; s_R2, s_R3, s_R4; Δs_V,ref; v_F; n_1; d_1; F_1 i; a_R1; s_R1). The input signals are made available to the microcomputer system (R_1A) via a communication system (K_1), e.g., a bus system.

[0007] b) Determining at least one logic triggering signal (e_1H). The logic triggering signal (e_1H) is determined at least partially by a monitoring unit (R_1B), which is independent of the first microcomputer system (R_1A), as a function of the at least one input signal.

[0008] c) Comparing the at least one triggering signal (f_1) with the at least one logic triggering signal (e_1H) in a power electronics unit (LE_1K).

[0009] d) Determining at least one enabling signal (within the power electronics LE) as a function of the result of the comparison of the triggering signal (f_1) and the logic triggering signal (e_1H); and

[0010] e) Relaying the at lest one triggering signal (f_1) or a signal (i_(—1K) which depends on the triggering signal (f)_1) to the brake, i.e., to an actuator Akt_1 for the brake shoes if the at least one enabling signal has a preselectable value.

[0011] The monitoring unit (R_1B) in particular detects systematic (common mode) faults. One example of such a fault is a fault in the power supply. With the known brake system, the monitoring unit (R_1B) is designed as an independent microcomputer system. As an alternative, however, the monitoring unit (R_1B) may also be designed as a hardware module without its own processor, so that it is capable of executing concrete logic functions or, if it has a register, it may even execute switching functions. An example of such a hardware module is, for example, an ASIC (applied specific integrated circuit), an FPGA (field-programmable gate array) or a monitoring circuit (watchdog).

[0012] One disadvantage of the related art is that logic level L4 is always implemented in a separate component, which must also be provided multiple times within the distributed safety-related system—e.g., in wheel modules of an electric brake system.

[0013] The object of the present invention is to simplify the design of a distributed safety-related system while at the same time at least retaining the safety that is achievable on enabling the components.

[0014] To achieve this object, the present invention proposes, starting with the method of the type defined in the preamble, that the functions of the monitoring unit be fulfilled by the communications controller.

ADVANTAGES OF THE INVENTION

[0015] It is thus proposed according to the present invention that a separate monitoring unit be omitted and that the functions of the monitoring unit instead be executed by such units of the distributed safety-related system that are provided in the system anyway. These units must have their own intelligence to be able to perform their own calculations, at least to a limited extent. In particular the communications controller by which the process computer is connected to the communication system is suitable as such a system unit which, according to the present invention, may assume the functions of the monitoring unit.

[0016] It has now become standard for virtually all manufacturers to use communication systems in motor vehicles. Data may be transmitted over the communication system, e.g., according to the CAN protocol (controller area network), the TTCAN protocol (time triggered CAN), TTP/C (time triggered protocol for class C according to SAE), or the FlexRay protocol. These protocols usually have a global time, i.e., a time base that is valid throughout the system. It plays an important role in the time control in communication (e.g., in time-controlled communication protocols) and in the application (e.g., in time-controlled operating systems), but also for diagnostic functions and fault recognition and/or fault handling. In other words, this means that each communications controller of such a system has its own clock (quartz), synchronized with all the other clocks in the system via the mechanism of global time. Because of these possibilities, the communications controller may be used for monitoring the microcomputer without any problem.

[0017] According to an advantageous refinement of the present invention, it is proposed that a list of questions to be presented at preselectable points in time to the process computer to be monitored be made available to the communications controller, the process computer giving an answer to the communications controller and this answer then being analyzed by the latter. This type of monitoring of a process computer is also known as question-and-answer communication. The list is preferably stored in a memory element, in particular a random-access memory, a read-only memory, or a flash memory. The questions are, for example, simple values having multiple bits which are processed by the process computer in a preselectable manner. This processing may range from a simple inversion of the question to a complex calculation including a memory test. The result of this processing is the process computer's answer to the question posed.

[0018] According to an advantageous embodiment of the present invention, it is proposed that the answer be checked for whether it was delivered within a preselectable period of time. A timer is started as soon as a question is supplied to the process computer. If the answer by the process computer does not fall within a time window defined by the starting point in time and the period of time, it is concluded that there is a fault in the process computer, and suitable countermeasures are initiated to prevent a safety-related situation.

[0019] As an alternative or in addition, it is proposed that the answer be checked for whether it is correct. To this end, the answer is checked for whether it is entered in a list as the correct answer to the question posed. The correct answers may be stored together with the corresponding questions in a memory element, in particular a random-access memory, a read-only memory, or a flash memory of the communications controller.

[0020] According to an advantageous refinement of the present invention, the questions are posed to the process computer by the communications controller periodically. As an alternative, the questions may also be presented randomly or according to a certain time pattern.

[0021] As a suitable countermeasure in the event of an incorrect answer and/or an answer outside of a preselectable period of time, the communications controller may assume the function of shutting down the process computer according to a preferred embodiment of the present invention. As an alternative or in addition, the communications controller may assume the function of shutting down the component to be triggered.

[0022] As another implementation of the object of the present invention, it is proposed, starting with the communications controller of the type defined in the preamble, that the communication protocol be supplemented by mechanisms which make it possible for the communications controller to monitor the process computer. These mechanisms to be supplemented concern in particular (periodically) posing questions, setting a timer for the time window to be monitored, monitoring the time window, and checking the answer from the process computer.

[0023] According to an advantageous refinement of the present invention, it is proposed in particular that the communication protocol be supplemented by mechanisms for execution of the method according to the present invention.

[0024] Finally, it is proposed that the communications controller have a memory element, in particular a random-access memory, a read-only memory or a flash memory, in which questions for the process computer and correct answers for a question-and-answer communication with the process computer are stored.

DRAWINGS

[0025] Additional features, possible applications, and advantages of the present invention are derived from the following description of exemplary embodiments of the present invention which are illustrated in the drawing. All the features described or illustrated here, either alone or in any desired combination, constitute the object of the present invention, regardless of how they are worded in the patent claims or their reference back to a preceding claim and regardless of how they are formulated in the description or illustrated in the drawing.

[0026]FIG. 1 shows a distributed safety-related system in a sectional view for implementation of a method according to the present invention in a preferred embodiment.

[0027]FIG. 2 shows a triggering module known from the related art as part of a distributed safety-related system.

[0028]FIG. 3 shows a flow chart of a method according to the present invention in a preferred embodiment.

[0029]FIG. 4 shows a detail of the flow chart from FIG. 3 concerning a question-and-answer communication between a communications controller and a process computer.

DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0030] The method according to the present invention is explained in greater detail below on the basis of an electric brake system. However, the present invention is not limited to electric brake systems, but instead may be used for any distributed safety-related systems in which system components are triggered by process computers. The present invention allows reliable enabling of the components without the use of additional monitoring units to monitor the process computers. The functions of the monitoring units are instead assumed by the units of the safety-related system which are present in the system anyway, in particular communications controllers by which the process computers are connected to a communication system.

[0031] For each vehicle wheel to be braked, the brake system includes a wheel module R_1, R_m. Each wheel module R_1, R_m includes a microcomputer system P_1, P_m and an enabling circuit FS_1, FS_m. Microcomputer systems P_1, P_m each include a process computer Pro_1, Pro_m and an intelligent communications controller S_1, S_m. Process computer Pro_1, Pro_m and communications controller S_1, S_m of a microcomputer system P_1, P_m may be combined on a semiconductor module (called a chip); however, they are always designed as separate and independent units. Each wheel module R_1, R_m is connected to a physical databus K_1 via a communications controller S_1, S_m. Data is transmitted over the databus according to, for example, the TTCAN, TTP/C or FlexRay protocol. Wheel modules R_1, R_m each control one actuator Akt_1, Akt_m which includes one or more electric motors, for example, for actuation or release of the wheel brakes.

[0032] The monitoring concept known from the related art (see FIG. 2) for checking on the process computer (Pro_1) by a question-and-answer communication is replaced by the process computer-communications controller concept according to the present invention as illustrated in FIG. 1. Communications controller S_1 assumes the function of monitoring unit R_1B from the related art and periodically poses questions to process computer Pro_1 to obtain the correct answer within a preselectable time window. For the case when the answer fails to come within the time window or the correct answer to the question is not given, communications controller S_1 assumes the function of shutting down process computer Pro_1 (signal A) and/or shutting down connected component Akt_1 via enabling circuit FS_1 (signal B).

[0033] For implementation of the concept according to the present invention, communications controller S_1 must merely be supplemented by a list of questions and answers. The communication protocol of communications controller S_1 is supplemented by mechanisms which permit periodic questioning, setting the corresponding timer for the time window, monitoring this time window, and checking the answer. Finally, communications controller S_1 has a pin (signal output A) for enabling process computer Pro_1 and a pin (signal output B) for enabling the enabling circuit FS_1. These pins are operated by communications controller S_1.

[0034] Communications controller S_1 conducts a question-and-answer communication with process computer Pro_1, which is incorporated into the normal protocol operations (actual sending and receiving of messages, message confirmation, possibly membership service, and global time). This yields a slight increase in the load on communications controller S_1 but a significant improvement in the use of units within a distributed safety-related system. In addition, communications controller S_1 makes available software and hardware interfaces to permit connection to enabling circuit FS_1 and/or to a suitable pin of process computer Pro_1. Enabling circuit FS_1 is thus operated by process computer Pro_1 and also by communications controller S_1. In addition, process computer Pro_1 itself may be connected to communications controller S_1 so that process computer Pro_1 may be shut down itself, e.g., by connecting to a reset line of process computer Pro_1.

[0035] The process computer-communications controller concept according to the present invention for performing the question-and-answer communication may be implemented with any control unit equipped with a communications controller having an independent and autonomous clock. In the ideal case, this clock is synchronized with a global time of the entire distributed safety-related system by a clock synchronization mechanism. Communications controller S_1 must convert the mechanism of the question-and-answer communication and must have available the required configuration data and/or provide interfaces to process computer Pro_1 and to enabling circuit FS_1.

[0036] Communications controller S_1 must have the list of questions and the list of correct answers programmed in its permanent memory. A flash EPROM, for example, is especially suitable for this purpose; in most cases other configuration data for the actual communication is also stored there. The clock (timer) for setting the timeouts for the time window to be monitored must be configured in advance. When using a fault counter (count), the upper limit for the count must also be defined.

[0037] Communications controller S_1 offers a hardware interface which allows wiring of the resulting shutdown logic circuit from the question-and-answer communication with process computer Pro_1 (signal A) and with the additional enable circuit FS_1 (signal B). The questions and answers are exchanged over a common memory area (dual port RAM) DPRAM_1 between process computer Pro_1 and communications controller S_1. This common memory area DPRAM_1 forms a software interface between communications controller S_1 and process computer Pro_1. For example, a 16-bit value is set in the software interface by communications controller S_1 (question) and the answer is read out by the software interface within the timeout. In addition, another software interface may also be available in communications controller S_1 to make the status of the question-and-answer communication available to the outside (e.g., “timeout exceeded” or “answer correct”).

[0038] Communications controller S_1 must perform the analysis of the answer received by process computer Pro_1 and a comparison with the answers stored in the answer list. To do so, additional mechanisms are to be taken into account in the normal communication protocol to permit addressing of the table in which the answer list is stored and a simple comparison of two values. Furthermore, any fault counters (count) present may also be managed.

[0039] The method according to the present invention is explained in detail below on the basis of FIGS. 3 and 4. This method begins in a function block 1. The initial situation is an active distributed network having functioning members (communications controllers S_1, S_m and their process computers Pro_1, Pro_m). There is no signal for shutting down process computer Pro_1 or component Akt_1 to be triggered (via enabling circuit FS_1).

[0040] A system start is executed in a function block 2. Then in a function block 3, communications controller S_1 and process computer Pro_1 are initialized. Then the normal application begins with sending and receiving messages (function block 4).

[0041] In addition, communications controller S_1 also initiates the question-and-answer communication (function block 5). The two sequences which are represented only symbolically by function blocks 4 and 5 are routines which may be executed not only in succession but also concurrently, i.e., simultaneously or more or less in parallel. Question-and-answer routine 5 is shown in detail in FIG. 4 and explained in greater detail below.

[0042] In a query block 6, a check is performed to determine whether the method is to be terminated or not. The method is terminated, for example, when the corresponding member or the entire distributed system is being ramped down. If the method is not to be terminated, it branches off again to function block 4. Otherwise the method according to the present invention is terminated in a function block 7.

[0043]FIG. 4 shows the question-and-answer routine from function block 5 in greater detail. In a function block 51, a certain question is selected from the catalog of questions stored in the EPROM memory element of communication interface S_1. The choice of question may involve cyclic processing or processing by a preselectable pattern or a random pattern (e.g., linked to the current system time of communications controller S_1). The selected question is then made available to process computer Pro_1 in a function block 52 via software interface DPRAM_1, and the timer is started in function block 53. Monitoring of the time window is part of the additional protocol sequence in communications controller S_1 and may also be triggered in different ways, e.g., by polling or by a capture-and-compare logic circuit in communications controller S_1.

[0044] Process computer Pro_1 contains suitable software which processes the question of communications controller S_1 (function block 54) and determines a corresponding answer to the question (function block 55). The algorithms and/or methods used for this are not the object of the present invention and may range from a simple inversion of the question to a complex calculation including a memory test. The software in process computer Pro_1 then gives the answer to communications controller S_1 via software interface DPRAM_1 in a function block 56.

[0045] Then in a function block 57, the answer is read out of software interface DPRAM_1 into communications controller S_1. In a function block 58, the answer given by process computer Pro 1 is compared with the correct answer entered into the answer list via an analyzer logic circuit of communications controller S_1. In the normal case, communications controller S_1 receives the correct answer (output “no”). The result of the question-and-answer communication is additionally set in a status register (function block 59), i.e., in this case a positive status. From here, question-and-answer routine 5 branches back to function block 6 in FIG. 3. The next question may then be posed to process computer Pro_1, e.g., after the time out, and then question-and-answer routine 5 is run through again. This results in a cyclic question-and-answer protocol. Initiation of the next question, however, may also take place at predetermined points in time (see also time-controlled communication protocols which make each protocol step dependent on reaching a certain point in time).

[0046] In the case of a fault (output “yes” from query block 58), the answer given by process computer Pro_1 will not match the corresponding correct answer to the question in the configured list of communications controller S_1 or it will not come within the defined time window.

[0047] As part of fault handling, first a fault counter is incremented (function block 60). Then in a function block 61, signal A for shutting down processor Pro 1 is triggered. Likewise in a function block 62, signal B for shutting down actuator Akt_1 may be sent via enabling circuit FS_1. Steps 61 and 62 may be processed with each fault handling operation. As an alternative, however, they may also be processed only when the fault count, which has been incremented in function block 60, has exceeded a preselectable limit value. Through steps 61 and 62, participation of shutdown units Pro_1 and Akt_1 in the communication is stopped until there is a proper system restart. In a function block 63, the end of the method according to the present invention is preselected so that the method ends in function block 7 after the next run-through of query block 6. 

What is claimed is:
 1. A method of triggering a component (Akt_1) in a distributed safety-related system, in particular a component (Akt_1) of an X-by-wire system in a motor vehicle, the component (Akt_1) being triggered by a process computer (Pro_1) which is assigned to the component (Akt_1) and connected via a communications controller (S_1) to a communication system (K_1), and a monitoring unit which is independent of the process computer (Pro_1) being provided for monitoring the process computer (Pro_1), wherein the functions of the monitoring unit are executed by the communications controller (S_1).
 2. The method as recited in claim 1, wherein a list of questions to be presented at preselectable points in time to the process computer (Pro_1) to be monitored is made available to the communications controller (S_1), the process computer (Pro_1) giving an answer to the communications controller (S_1) and this answer then being analyzed by the latter.
 3. The method as recited in claim 2, wherein the answer is checked for whether it was delivered within a preselectable period of time.
 4. The method as recited in claim 2, wherein the answer is checked for whether it is correct.
 5. The method as recited in claim 4, wherein the answer is checked for whether it is entered in a list as the correct answer to the question posed.
 6. The method as recited in one of claims 2 through 5, wherein the questions are posed to the process computer by the communications controller periodically.
 7. The method as recited in one of claims 1 through 6, wherein the communications controller assumes the function of shutting down the process computer if the answer is incorrect and/or is not delivered within a preselectable period of time.
 8. The method as recited in one of claims 1 through 6, wherein the communications controller assumes the function of shutting down the component to be triggered if the answer is incorrect and/or is not delivered within a preselectable period of time.
 9. A communications controller for connecting a process computer (Pro_1) to a communication system (K_1), the process computer being used to trigger a component of a distributed safety-related system, in particular a component of an X-by-wire system in a motor vehicle and a communication protocol being run on the communications controller (S_1) for implementation of a data transfer between the process computer (Pro_1) and the communication system (K_1), wherein the communication protocol is supplemented by mechanisms which make it possible for the communications controller (S_1) to monitor the process computer (Pro_1).
 10. The communications controller (S_1) as recited in claim 9, wherein the communication protocol is supplemented by mechanisms for execution of a method as recited in one of claims 2 through
 8. 11. The communications controller (S_1) as recited in claim 8 or 9, wherein the communications controller has a memory element, in particular a random-access memory, a read-only memory, or a flash memory, in which questions for the process computer and correct answers for a question-and-answer communication with the process computer are stored. 